Top 10 Steps to Securing Your WordPress Installation!

Open Source is wonderful! The¬†possibilities¬†it provides are¬†truly¬†amazing and there is so much room for¬†customization and addition. Any¬†developer¬†that has played with the WordPress code has found some interesting things he/she could change to their liking, but some have also experienced the flaws. Not everyone looks at open source projects and thinks about sharing, progress and¬†exchanging¬†ideas, instead they see an¬†opportunity¬†to mess with the code and hack other people’s websites. Today, we will look at how one can best secure one’s WordPress Installation and keep their site safe from those who mean it harm.


Step 1: Change File Permissions of WordPress Files and Folders

Using your cPanel file manager or other file manager of choice such FileZila, you can view and change file permissions of entire folders or files. Just right click on the files and folders and make sure you set the CHMOD value to 744 which is probably for the best. This settings gives the owner all rights (read, write and execute) while everyone else can only have the read rights.

If you found that your site’s most important files are having a CHMOD of 777, the you are lucky that someone with knowledge of hacking hasn’t taken advantage of that yet!

Step 2: Don’t Allow Hackers to Find the Admin account

When you install WordPress a super user account called admin is created. Those who find the superuser account and gain access to it will be able to do anything they want! Change the name of this account to something more random and use a password that would be impossible to crack. Something random with a lot of different upper and lower case characters and numbers.

Create a different user account for publishing articles and content and give Editor rights as that will be enough to change all you might need without resorting to the super user admin rights. Change the admin password every now and then, it is a good practice.

Step 3: Use Login Lock Down

Do you know what brute forcing is? The basic concept is that if hackers know a user name they only need a password right? Imagine a text file with over 1 million of possible passwords and program that could try them all out at once! This plugin called Login Lock Down provides you with the security your WP site needs!


After several failed log-ins the plugin will disable the IP address from logging into WordPress for a set amount of time. In the Options Panel you can set how many failed attempts should result in a block and how long that block should last. Really helpful and certainly useful!

Step 4: Choose Strong Passwords

I am not sure how much this needs to be stressed out! Another possible problem is if you have multiple authors on your site and someone hacks one of your editors accounts. This person would be able to cause some serious damage that would take some time to repair, even with all your back-ups.

For this reason, you should send an email to all your staff/authors and have them visit Password Meter and have them make sure their password is strong and safe.

Step 5: Secure WordPress Plugin

There are other plugins that do a similar job, but Secure WordPress is probably one of the best and is worth the installation. This plugin will remove any scattered information that hackers my find and use against you and will also help by blocking out some bad queries providing some basic protection from brute forcing and DoS attacks.

Step 6: Change Default Secret Keys

If you took all the correct steps hackers should have a hard time getting access to most of your files. One tricky thing most people don’t change is their secret keys in the wp-config.php file. The code looks something like this:

define('AUTH_KEY', '');
define('SECURE_AUTH_KEY', '');
define('LOGGED_IN_KEY', '');
define('NONCE_KEY', '');
Use the secret key generator to get some new values you can change inside of the file. These keys are used for hashing and protecting you password and are quite important for the security of your WordPress installation.

Step 7: If You Don’t Need It, Don’t Have It

User accounts that are no longer needed, as well as inactive plugins and old themes you will not be needing anymore are potential threats and a waste of space. Delete them, it is as simple as that.

Step 8: Backup Your Data

This isn’t really a tip to protect your¬†installation. However, hackers that know that a site is backed-up and will¬†quickly¬†be back to normal sometimes tend to just forget about it and leave the site alone. There are a lot of useful back-up plugins¬†available¬†for WordPress so make your pick!

Step 9: Limiting Access to the Admin Account via the IP Address

This is called White-listing an you may have heard of it. It is quite simple really and good hackers know their way around it, most however, will fail in their tracks. This is like building a powerful barrier around the admin folder! In that case, find the wp-admin folder and inside there should be a .htaccess file, and if there isn’t one, make it yourself.
 In the file you should include this code:
AuthUserFile /dev/null
AuthGroupFile /dev/null
AuthName "WordPress Admin Access Control"
AuthType Basic
order deny,allow
deny from all
# Whitelist Your IP address
allow from xx.xx.xx.xxx
# Whitelist Your Office's IP address
allow from xx.xx.xx.xxx
Your task here is to replace the x-es with your corresponding IP address. This means that only you from these IP Addresses can access the admin account. It is important to note that you should not include this in the .htcaccess file in the root directory and only in the one inside the admin folder!

Step 10: Analyse Your Server Logs!

As you know cPanel and similar services come with a Server Log and you should use to monitor for suspicious activity every day. If you have Google Analytic use that as well and if you ever notice a huge increase in traffic that is full of users who quickly exited your site, then ask yourself if you were targeted by a hacker and check your logs! Do not be passive, monitor your site for suspicious activity.


WPsite.net will feature articles on WordPress (themes, plugins, and tutorials, Internet Marketing, Blogging, SEO, Web Design, and Social Media

2 thoughts on “Top 10 Steps to Securing Your WordPress Installation!

Leave a Reply

Your email address will not be published. Required fields are marked *